Scams & Phishing News New Social Security Scam Emails Use Fake Tax Documents to Hijack PCs

[Brownie2019]

Content source

https://hackread.com/social-security-scam-emails-fake-tax-doc-hijack-pc/

A new scam is currently targeting thousands of people across the United States, using the name of the Social Security Administration to trick unsuspecting users. This campaign, which was first identified by the security firm LifeLock, arrives just in time for the busy tax season.

As per LifeLock’s tweet, the scam works by sending emails that look like official government notifications. As we have generally noticed, scammers rely on this sense of urgency to make people act without thinking. In this case, the same thing happens.

These messages use urgent language such as “Important Disclosures” or “Important Regulatory Information” to grab a person’s attention. And, while the sender’s name might say Social Security Administration, investigation revealed that the emails do not actually come from a legitimate government domain ending in .gov.

Full Story:

New Social Security Scam Emails Use Fake Tax Documents to Hijack PCs

Follow us on all social media platforms @Hackread

hackread.com

 

[Halp2001]

Valuable warning, worth keeping in mind. What’s most concerning is how these campaigns disguise themselves as official communications to gain trust and trick users into opening malicious attachments. The best defense at home remains basic prevention: being cautious with unexpected emails, always verifying the sender, and keeping systems updated. In the end, everyday security relies more on prudent habits than on sophisticated tools.

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
A phishing campaign is currently impersonating the Social Security Administration, using urgent email lures to trick users into downloading a fake tax document named "Social_security_statements_2025.pdf".

Assessment
Instead of a standard document, clicking the link installs "Datto RMM", a legitimate IT management application, which the attackers are weaponizing as a Remote Access Trojan (RAT) to gain full control over the victim's device and steal data.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.002
(Phishing: Spearphishing Link)

T1219
(Remote Access Software)

CVE Profile
N/A [CISA KEV Status: Inactive]
(This attack relies on social engineering and the abuse of legitimate software, rather than exploiting a specific CVE).

Telemetry

File Names
"Social_security_statements_2025.pdf"

Tooling
"Datto RMM"

Constraint
The structure suggests the payload at the link destination is an executable, script, or shortcut disguised as a document, as clicking a legitimate PDF would not natively install RMM software without an unmentioned browser exploit.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue immediate security awareness communications regarding SSA-themed tax season phishing.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR and SIEM for unexpected installations, service creations, or network connections related to "Datto RMM" across endpoints that are not authorized to run it.

Command
Hunt email gateways for subject lines containing "Important Disclosures" or "Important Regulatory Information" where the sender domain does not end in .gov.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any endpoint identified with an unauthorized Datto RMM installation.

RECOVER (RC) – Restoration & Trust

Command
Validate the complete removal of the RMM tool and verify no secondary persistence mechanisms (e.g., newly created local admin accounts) were established before returning the host to the network.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement Application Control (e.g., WDAC/AppLocker) policies to explicitly block unauthorized RMM software certificates.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you clicked the link and installed the software. Datto RMM provides attackers with real-time interactive access to your machine.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Installed Programs, Scheduled Tasks, and Startup Folders for "Datto RMM" or any unrecognized remote desktop software. If found, uninstall it immediately and run a full offline antivirus scan.

Hardening & References

Baseline
CIS Benchmarks (Application Whitelisting / Software Restriction Policies).

Framework
NIST CSF 2.0 / SP 800-61r3.

Note
Because this attack abuses legitimate software, traditional signature-based Antivirus may not flag the Datto RMM binary itself. Behavioral monitoring and strict execution controls are required to stop Living-off-the-Land (LotL) techniques.

Source

HackRead Article

 

[TairikuOkami]

I guess I am lucky that EU is a bit more digital, I have a digital ID and a government assigned email, where I get all official documents, like taxes.
All my bills and social security affairs are handled digitally as well. I have not opened a mailbox in years, it is full of advertisements and other junk.

 

[Jonny Quest]

If I'm concerned, I would just go to the SS website itself, and check for any notifications.

It's what's also nice in using a password manager IMO, it verifies that site I've previously verified and saved as being the correct one, and not a spoofed phishing site.